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Mr.  Chairman  and  Members  of  the  Committee: 

I  appreciate  the  opportunity  to  be  here  today  to  participate  in  the 
Committee’s  hearing  on  implementation  of  the  Government  Paperwork 
Elimination  Act  (GPEA).1  The  act  requires  that  by  2003  federal  agencies 
provide  the  public,  when  practicable,  the  option  of  submitting, 
maintaining,  and  disclosing  required  information — such  as  employment 
records,  tax  forms,  and  loan  applications — electronically,  instead  of  on 
paper.  In  October  2000,  federal  agencies  submitted  GPEA  implementation 
plans  to  the  Office  of  Management  and  Budget  (OMB),  which  is 
responsible  for  executive  branch  oversight  of  GPEA. 

As  you  know,  we  are  currently  conducting  a  review  of  agency  GPEA 
implementation  plans  at  the  request  of  the  Chairman  of  the  Senate 
Committee  on  Governmental  Affairs.  For  this  hearing,  you  asked  us  to 
report  specifically  on  the  efforts  of  three  agencies  to  meet  the 
requirements  of  GPEA,  as  reflected  in  the  plans  they  submitted  to  OMB. 
The  three  agencies  are  the  Department  of  the  Treasury,  the  Environmental 
Protection  Agency  (EPA),  and  the  Department  of  Defense  (DOD).  After 
describing  the  framework  of  OMB’s  GPEA  guidance,  I  will  discuss  each 
agency’s  plan,  including  its  overall  strategy  for  complying  with  GPEA,  as 
well  as  the  data  on  information-collection  activities  provided  as 
attachments  to  each  of  their  plans. 

To  prepare  for  this  hearing,  we  obtained  and  analyzed  the  plans  submitted 
by  each  of  the  three  agencies  and  held  discussions  with  cognizant  officials 
on  their  progress  and  challenges  in  meeting  GPEA’s  October  2003 
deadline.  Because  of  time  constraints,  we  did  not  attempt  to  verify  the 
data  reported  in  the  plans  regarding  planned  electronic  conversions  for 
specific  systems  and  processes. 


Results  in  Brief 


The  plans  submitted  by  Treasury  and  EPA  generally  provide  the  kind  of 
information  that  was  specified  in  OMB’s  July  2000  guidance.  However, 
DOD’s  plan  did  not  include  a  description  of  the  department’s  overall  GPEA 
strategy  and,  in  some  cases,  the  data  provided  for  specific  information 
collections  may  be  inaccurate,  incomplete,  or  duplicative. 

Officials  of  all  three  agencies  said  that  they  faced  challenges  in  complying 
with  GPEA,  particularly  with  regard  to  implementing  adequate  security 
assurances  for  sensitive  electronic  transactions  and  in  planning  for  and 


1  P.L.  No.  105-277,  Div.  C,  tit.  XVII. 
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implementing  computer  network  infrastructures.  Further,  OMB  will  be 
challenged  in  providing  oversight  of  agency  GPEA  activities  because  the 
plans  submitted  by  the  agencies  do  not  document  key  strategic  actions, 
nor  do  they  specify  when  they  will  be  undertaken.  Taken  in  isolation,  the 
plans  do  not  provide  sufficient  information  to  assess  agencies’  progress  in 
meeting  the  objectives  of  the  act.  To  address  this  issue,  OMB  may  wish  to 
require  agencies  to  report  on  major  agencywide  activities,  including 
specific  planned  tasks  and  milestones  and  the  rationale  for  adopting  them. 


Background 


Advances  in  the  use  of  information  technology  and  the  Internet  are 
transforming  the  way  federal  agencies  communicate,  use  information, 
deliver  services,  and  conduct  business.  To  increase  the  ability  of  citizens 
to  interact  with  the  federal  government  electronically,  in  1998  the 
Congress  enacted  GPEA. 

GPEA  makes  OMB  responsible  for  ensuring  that  federal  agencies  meet  the 
act’s  October  21,  2003,  implementation  deadline.  In  May  2000,  OMB  issued 
GPEA  implementation  guidance,2  which  lays  out  a  process  and  principles 
for  agencies  to  employ  in  evaluating  the  use  and  acceptance  of  electronic 
documents  and  signatures.  The  guidance  calls  for  agencies  to  examine 
business  processes  that  might  be  revamped  to  employ  electronic 
documents,  forms,  or  transactions;  identify  customer  needs  and  demands; 
consider  the  costs,  benefits,  and  risks  associated  with  making  the 
transition  to  electronic  environments;  and  develop  plans  and  strategies  for 
recordkeeping  and  security.  In  September  2000,  we  concluded  that  OMB’s 
GPEA  guidance — as  well  as  the  guidance  and  supplementary  efforts  being 
undertaken  by  Treasury,  the  National  Archives  and  Records 
Administration,  the  Departments  of  Justice  and  Commerce  and  others — 
provided  a  useful  foundation  of  information  to  assist  agencies  with  GPEA 
implementation  and  the  transition  to  electronic  government  (e- 
government).3  Our  report  also  laid  out  information  technology 
management  challenges  that  are  fundamental  to  the  success  of  GPEA. 

OMB’s  May  guidance  also  required  each  agency,  by  October  2000,  to 
develop  and  submit  a  GPEA  implementation  plan  and  schedule.  According 
to  this  guidance,  these  plans  were  to  prioritize  implementation  of  systems 
and  system  modules  based  on  achievability  and  net  benefit.  Further, 


2  OMB  Memorandum  M-00-10,  “OMB  Procedures  and  Guidance  on  Implementing  the  Government 
Paperwork  Elimination  Act.” 

3  Electronic  Government:  Government  Paperwork  Elimination  Act  Presents  Challenges  for  Agencies 
(GAO/AIMD-OO-282 ,  September  15,  2000). 
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agencies  were  required  to  coordinate  their  GPEA  plans  and  schedules  with 
their  strategic  information  technology  (IT)  planning  activities  and  report 
progress  annually. 


OMB’s  Supplemental 
Guidance  on  Preparing 
Agency  Plans 


In  July  2000  OMB  issued  supplemental  guidance  that  provided  a 
structured,  standardized  format  for  agency  reporting  of  GPEA 
implementation  plans.  Unlike  the  May  2000  guidance,  which  discussed  a 
wide  range  of  activities  needed  for  an  agency  to  comply  with  GPEA,  this 
new  guidance  focused  on  specific  kinds  of  data  that  OMB  was  expecting 
agencies  to  submit  in  the  October  2000  plans.  The  new  guidance  specified 
that  the  plans  be  divided  into  four  parts: 

•  First,  agencies  were  to  provide  a  cover  letter  describing  their  overall 
strategy  and  actions  to  comply  with  the  act.  This  letter  is  the  part  of 
the  plan  that  provides  an  agencywide  perspective  on  GPEA 
compliance  efforts. 

•  Second,  agencies  were  required  to  provide  data  in  tabular  form 
regarding  information-collection  activities  approved  by  OMB  under  the 
Paperwork  Reduction  Act  (PRA),  which  mandates  that  OMB  review 
how  agencies  collect  and  use  information.4  The  data  tables  were  to 
include  a  column  showing  when  an  electronic  option  would  be 
completed  (if  one  was  being  planned)  and  whether  electronic 
signatures  were  to  be  used. 

•  Third,  agencies  were  requested  to  provide  an  additional  table  showing 
interagency  reporting,  information-dissemination  activities,  and  other 
agency-identified  transactions.  According  to  OMB’s  guidance, 
“interagency  reporting”  encompasses  ongoing,  periodic  reports,  such 
as  personnel  and  payroll  reports,  which  are  exchanged  among 
agencies.  “Information-dissemination  activities”  refers  to  information 
products  intended  for  the  general  public,  such  as  the  periodic  release 
of  labor  statistics.  Like  the  PRA-based  inventory,  this  list  was  to 
include  a  column  showing  when  an  electronic  option  would  be 
completed,  if  planned,  and  whether  electronic  signatures  were  to  be 
used. 


4  Under  the  Paperwork  Reduction  Act  of  1995  (P.L.  104-13),  OMB  determines  whether  the  agency 
needs  the  information,  whether  the  agency  has  minimized  the  burden  on  the  public  of  collecting 
it,  and  whether  the  agency  has  maximized  the  utility  of  the  information  collected. 


Page  3 


GAO-01-861T  GPEA  Implementation  Plans 


•  Lastly,  supplemental  information  was  also  to  be  provided  about  any  of 
the  previously  listed  transactions  that  the  agency  had  determined  to 
pose  a  “high  risk,”  such  as  those  involving  particularly  sensitive 
information  or  very  large  numbers  of  respondents.  This  section  of  the 
plan  was  to  include  a  description  of  the  transactions,  their  sensitivity, 
and  additional  risk  management  measures  that  would  be  taken. 


Department  of  the 
Treasury 


Let  me  now  turn  to  the  three  agency  plans  you  asked  us  to  review. 
According  to  Treasury’s  plan,  the  department’s  GPEA-related  activities  are 
a  critical  component  of  the  overall  departmental  effort  to  fundamentally 
redefine  the  way  it  performs  its  critical  missions.  According  to  the  plan,  a 
key  element  of  that  effort  was  the  development  of  an  e-government 
strategic  plan — just  published  this  month — which  Treasury  is  using  as  a 
framework  for  selecting  and  implementing  electronic  initiatives. 

In  addition  to  its  internal  initiatives,  Treasury’s  plan  notes  that  the 
department  has  been  involved  in  governmentwide  actions  to  advance 
electronic  government  and  comply  with  GPEA.  A  key  example  is  Pay.gov, 
an  Internet  portal  developed  by  its  Financial  Management  Service. 
According  to  the  plan,  the  services  of  Pay.gov  can  help  agencies  meet 
GPEA  requirements  to  accept  forms  electronically  by  2003  by  offering  a 
package  of  electronic  financial  services  to  assist  agencies,  such  as 
enabling  end-users  to  submit  agency  forms  and  authorize  payments, 
presenting  agency  bills  to  end-users,  and  establishing  the  identity  of  end- 
users  and  reporting  information  about  transactions  back  to  the  agencies. 
Once  fully  operational,  this  service  could  help  agencies  throughout  the 
federal  government  to  more  easily  reach  the  goals  of  GPEA. 

According  to  the  department’s  deputy  chief  information  officer  (CIO),  the 
progress  of  major  GPEA-related  initiatives  at  Treasury  is  being  monitored 
through  monthly  CIO  meetings  with  representatives  from  each  of  the 
department’s  various  bureaus  and  by  using  an  investment  management 
tool.6  The  Deputy  CIO  added  that  compliance  with  GPEA  is  also  included 
in  the  criteria  that  Treasury  uses  in  its  investment  review  process  for 
evaluating  newly  proposed  information  technology  projects. 


6  This  tool,  known  as  I-TIPS  (Information  Technology  Investment  Portfolio  System),  is  a  web-based 
decision  support  and  project  management  tool  to  help  support  the  management  of  information 
technology  investments. 
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Treasury’s  Data  Collection 
Activities 


Treasury  used  its  database  of  information  collections  identified  under  PRA 
as  a  starting  point  for  preparing  the  required  data  tables  for  its  GPEA 
implementation  plan.  PRA  information  collections  include  such  things  as 
requests  for  forms  and  publications,  tax-related  forms,  and  business- 
production  reports.  To  refine  the  list,  the  department’s  CIO  organization 
convened  a  group  comprising  representatives  from  Treasury’s  IT  policy 
and  strategy  group,  CIO  development  team,  bureau  representatives,  and 
policy  office  representatives.  The  group  reviewed  the  PRA  collections  and 
added  a  records  management  initiative  that  had  not  been  part  of  the 
original  database. 


Treasury’s  plan  provides  the  kind  of  information  stipulated  in  OMB’s  July 
2000  guidance.  Altogether,  Treasury  identified  336  PRA  information- 
collection  processes  that  are  subject  to  GPEA.  According  to  the  plan,  23  of 
these  are  scheduled  for  conversion  to  an  electronic  option  in  2001,  36  are 
scheduled  for  2002,  and  84  are  scheduled  for  2003.  Of  the  remaining 
initiatives,  80  were  reported  to  already  be  converted,  two  are  scheduled 
for  conversion  in  2004,  and  111  were  not  assigned  a  completion  date  for 
conversion.  In  all  but  one  case  where  the  conversion  date  was  beyond 
October  2003  or  not  assigned,  Treasury  included  explanations,  as  required 
by  OMB’s  guidance. 


Further,  Treasury  identified  105  initiatives  offering  an  electronic  option  for 
interagency  reporting,  information-dissemination  activities,  and  other 
transactions,  and  four  transactions  identified  as  high  risk.6  For  those 
initiatives  included  in  Treasury’s  plan  that  did  not  specify  completion 
dates,  the  department  plans  to  include  that  information  when  it  becomes 
available,  according  to  the  deputy  CIO.  The  plan  also  is  expected  to  be 
updated  as  the  bureaus  and  department  offices  make  progress  toward 
completing  its  initiatives. 


Environmental 
Protection  Agency 


According  to  its  October  2000  plan,  EPA  is  currently  undertaking  three 
major  activities  in  an  effort  to  provide  e-government  services  and  comply 
with  GPEA.  The  first  initiative  is  to  establish  a  new  rule  that  would  permit 
electronic  reporting  and  recordkeeping  and  establish  the  requirements 
necessary  to  ensure  that  electronic  documents  are  valid  and  authentic. 
EPA  has  drafted  the  proposed  new  rule,  and  it  is  currently  being  reviewed 


6  The  four  high  risk  transactions  are  (1)  The  Bureau  of  Engraving  and  Printing’s  (BEP)  “Owner’s 
Affidavit  of  Partial  Destruction  of  Mutilated  Currency,”  (2)  BEP’s  “Claim  for  Amounts  Due  in  the  Case 
of  Deceased  Owner  of  Mutilated  Currency,”  (3)  multiple  application  forms  associated  with  the 
Community  Development  Financial  Institutions  Fund,  and  (4)  “Request  for  Transfer  of  Property 
Seized/Forfeited  by  a  Treasury  Agency,”  also  known  as  an  asset-sharing  request. 
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by  administration  officials.  Agency  officials  expect  it  to  be  approved  this 
year,  with  a  final  rale  to  be  published  in  2002. 

The  second  major  initiative  is  the  development  of  a  computer  network 
facility  known  as  the  Central  Data  Exchange.  This  new  facility  is  to  be  the 
central  point  of  entry  for  all  electronic  reporting,  and  is  expected  to 
provide  security,  authentication,  error  detection,  and  distribution 
capabilities.  EPA  expects  the  facility  to  be  fully  operational  by  the  fall  of 
2002. 

The  third  major  initiative  is  to  improve  EPA’s  information  security.  We 
have  previously  reported  on  significant  weaknesses  in  EPA’s  information 
security  program.7  The  October  2000  plan  states  that  the  agency  has  made 
significant  progress  in  improving  its  cyber  defenses  by  implementing 
security  confidentiality  protocols  and  procedures.  Further,  agency  officials 
state  that  they  are  actively  exploring  the  use  of  electronic  signatures  and 
public  key  infrastructure  (PKI)8  technology  to  ensure  the  security, 
confidentiality,  and  non-repudiation  of  sensitive  data  collections. 


EPA’s  Data  Collection 
Activities 


EPA  used  an  iterative  process  to  develop  its  October  2000  plan.  Starting 
with  its  internal  PRA  database  as  a  baseline,  Office  of  Environmental 
Information  personnel  created  a  template  of  information  collections  that 
was  sent  to  each  program  office  for  validation  and  for  completion  of 
additional  GPEA-related  data.  The  agency’s  final  plan  contains  a  detailed 
inventory  of  its  PRA  information  collections.  An  EPA  official  said  that  this 
inventory  and  its  related  attachments  include  all  of  the  information 
regarding  plans  for  electronic  interagency  reporting,  information 
dissemination  activities,  and  high-risk  transactions,  as  required  by  OMB. 

EPA  identified  279  data-collection  activities  applicable  to  GPEA.  Through 
iterative  reviews,  it  determined  that  108  of  these  were  not  candidates  for 
electronic  reporting  for  reasons  such  as  that  they  involved  interaction  with 
only  a  few  members  of  the  public  or  because  filling  out  a  paper  form  was 
deemed  to  not  be  a  significant  burden.  According  to  the  agency’s  plan,  of 
the  171  data  collections  that  were  considered  suitable  for  electronic 


7  Information  Security:  Fundamental  Weaknesses  Place  EPA  Data  and  Operations  at  Risk  (GAO/AIMD- 
00-215,  July  6,  2000). 

8  A  PKI  is  a  system  of  hardware,  software,  policies  and  people  that,  when  fully  and  properly 
implemented,  can  provide  a  suite  of  information  security  assurances — including  confidentiality,  data 
integrity,  authentication,  and  nonrepudiation — that  are  important  in  protecting  sensitive 
conununications  and  transactions. 
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reporting,  21  have  already  been  converted,  3  are  scheduled  for  2001,  13  are 
scheduled  for  2002,  and  96  are  scheduled  for  2003. 

The  remaining  38  data  collections  that  will  not  be  ready  for  electronic 
reporting  by  the  GPEA  deadline  all  involve  the  reporting  of  confidential 
business  information.  The  electronic  transmission  of  this  type  of  data 
poses  additional  risks  that  EPA  does  not  plan  to  have  fully  addressed  by 
October  2003.  Agency  officials  state  that  they  are  in  the  process  of 
assessing  these  data  collections  to  determine  how  to  collect  these  data 
centrally  and  in  a  secure  form.  By  2003  they  expect  that  they  will  be 
testing  methods  of  secure  transmission  but  do  not  expect  them  to  be 
operational  until  after  the  GPEA  deadline. 

According  to  EPA  officials,  in  anticipation  of  a  request  by  OMB  for 
updated  information  on  the  data-collection  inventories,  they  sent  a  letter 
to  the  program  offices  asking  for  such  updated  information.  Using  these 
responses,  EPA  officials  plan  to  update  their  data-collection  inventory. 


Department  of 
Defense 


DOD’s  October  2000  GPEA  plan  does  not  include  a  description  of  the 
department’s  overall  strategy  and  efforts  to  comply  with  GPEA.  Likewise, 
DOD  officials  could  not  provide  us  with  documentation  specifically 
addressing  a  departmentwide  implementation  strategy. 

Officials  from  DOD’s  Office  CIO  told  us  that  major  GPEA-related  activities 
within  the  department  are  focused  on  enabling  and  enhancing  electronic 
business  applications  and  that  the  department’s  strategic  plans  for 
business  process  transformation  include  objectives  that  incidentally 
address  the  goals  of  GPEA.  Examples  include  the  department’s  paperless 
contracting  project — which  aims  to  achieve  paperless  processes  for  many 
aspects  of  contracting  and  invoicing — and  its  Central  Contractor 
Registration  System,  which  contains  electronic  information  about 
contractors  and  vendors.  The  bulk  of  DOD’s  departmentwide  activity  is 
focused  on  developing  a  PKI  to  control  access  to  sensitive  information  and 
provide  security  for  electronic  transactions  via  digital  signatures. 


DOD’s  Data  Collection 
Activities 


To  assemble  the  department’s  plan,  officials  from  the  CIO’s  office  began 
by  providing  the  military  services  and  other  departmental  components 
with  listings  of  their  information  collections  reported  under  PRA  and 
requested  that  they  provide  GPEA  information  for  those  items  and  add  any 
others  that  might  be  appropriate.  The  services  and  components,  in  turn, 
relayed  the  data  requests  to  their  sub-components  until  a  level  was 
reached  that  could  provide  information  about  the  specific  collections.  The 
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data  were  then  reported  back  up  to  the  office  of  the  CIO,  where  they  were 
consolidated  into  a  single  report  for  OMB. 

The  data  tables  provided  in  DOD’s  plan  generally  conform  to  the  format 
specified  in  OMB’s  July  2000  guidance.  The  tables  indicate  that  DOD 
conducted  449  information  collection-activities  meeting  OMB’s  reporting 
requirements  for  PRA.  They  also  identify  13  interagency  reporting  and 
information  dissemination  activities,  as  well  as  four  transactions  that  were 
determined  to  pose  a  high  risk.9 

The  Office  of  the  CIO  did  not  review  the  data  it  received  from  the  various 
DOD  components  for  completeness  or  accuracy  before  reporting  the 
information  to  OMB  in  October  2000.  In  reviewing  the  data,  we  found 
indications  that  some  may  be  inaccurate,  incomplete,  or  duplicative.  For 
example,  the  Defense  Security  Service  made  238  entries  for  data-collection 
activities  that  included  little  of  the  information  requested  by  OMB  and 
appeared,  in  many  cases,  not  appropriate  as  separate  entries.  In 
discussions  with  us,  DOD  officials  agreed  that  the  Defense  Security 
Service  had  reported  incomplete  and  possibly  inaccurate  information  and 
said  that  they  would  request  that  the  service  correct  it. 

The  Office  of  the  CIO  has  taken  steps  to  follow  up  on  the  information 
submitted  by  the  military  services  and  DOD  components.  In  January  2001, 
the  CIO  issued  a  memorandum  to  the  services  and  components  forwarding 
OMB’s  May  2000  guidance  on  GPEA  implementation.  The  memo  stated 
that  CIOs  of  the  DOD  components  would  be  expected  to  apply  it  during 
their  continued  planning,  development,  redesign,  operation,  and  oversight 
of  department  systems.  According  to  CIO  officials,  this  memo  is  the  first 
formal  DOD  guidance  document  specifically  addressing  GPEA. 

Further,  in  April,  the  DOD  CIO  office  requested  that  the  services  and 
components  review  the  accuracy  of  their  portions  of  the  GPEA 
implementation  plan.  However,  DOD  CIO  officials  indicated  that  only  one 
official — from  the  Office  of  the  Assistant  Secretary  of  Defense  (Public 
Affairs) — had  responded  to  this  information  request,  and  that  was  to 
correct  possible  errors  for  a  single  item.10 


9  The  four  high-risk  transactions  are  (1)  Application  for  Uniformed  Services  Identification  Card, 
(2)  Exceptional  Family  Member  Medical  and  Educational  Summary,  (3)  TRICARE  Senior  Prime 
Enrollment  Application,  and  (4)  Continued  Health  Care  Benefit  Program  Application. 

10  The  item  was  “Stars  and  Stripes  Audience  Survey.” 
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Data-Collection  Activities 
for  Personnel  and 
Readiness 


Mr.  Chairman,  you  also  asked  us  to  assess  the  Personnel  and  Readiness 
portion  of  DOD’s  plan.  For  this  category,  DOD  reported  76  PRA 
information-collection  activities  and  ten  interagency  reporting  and 
information-dissemination  activities.  DOD  provided  a  projected 
completion  date  for  one  of  the  76  PRA-type  activities  and  for  two  of  the 
ten  interagency  and  information-dissemination  activities. 


Additionally,  we  found  that  38  of  the  76  PRA  information  collections  and 
four  of  the  ten  interagency  reporting  and  information-dissemination 
activities  were  likely  duplicate  entries.  We  met  with  officials  from  the 
Office  of  the  CIO  and  the  Undersecretary  of  Defense  for  Personnel  and 
Readiness  and  pointed  out  the  potential  duplication.  The  officials  agreed 
and  subsequently  notified  us  that  Personnel  and  Readiness  had  corrected 
the  discrepancies. 


Agencies  Face 
Challenges  in 
Achieving  Full 
Compliance  with 
GPEA 


In  our  discussions  with  agency  officials,  several  themes  emerged  as 
significant  challenges  in  meeting  the  goals  of  GPEA.  First,  all  three 
agencies  have  determined  that  the  security  assurances  provided  through 
the  use  of  PKI  technology  will  be  needed  to  enable  many  of  their  sensitive 
electronic  transactions.11  As  I  mentioned  earlier,  DOD’s  Office  of  the  CIO 
is  developing  a  departmentwide  PKI,  and  the  office  is  working  with  the 
General  Services  Administration  (GSA)  to  make  its  PKI  interoperable  with 
GSA’s  governmentwide  Access  Certificates  for  Electronic  Services 
program.  EPA  is  also  pilot-testing  the  use  of  electronic  signatures  and 
digital  certificates  through  GSA’s  program,  and  has  applied  for  a  grant 
from  GSA  to  conduct  a  PKI  interoperability  project.  Treasury  is  also 
closely  involved  in  the  governmentwide  effort  to  develop  PKI,  having 
recently  chaired  the  CIO  Council’s  Federal  PKI  Steering  Committee. 
According  to  Treasury’s  deputy  CIO,  the  department  will  be  challenged  to 
develop  its  own  PKI  because  it  will  need  to  pool  resources  from,  and 
coordinate  activities  with,  all  of  its  bureaus. 

Second,  EPA  and  Treasury  both  commented  about  the  importance  of 
adequately  planning  for  and  implementing  computer  network  and 
telecommunications  infrastructures  to  provide  the  capacity  and 
connectivity  needed  to  support  the  electronic  traffic  generated  by  new  or 
enhanced  electronic  offerings.  According  to  agency  officials,  many  types 
of  transactions  covered  by  GPEA  will  require  the  support  of  new 


11  Issues  related  to  implementation  of  PKI  technology  are  discussed  in  further  detail  in  Information 
Security:  Advances  and  Remaining  Challenges  to  Adoption  of  Public  Key  Infrastructure  Technology 
(GAO-Ol-277,  February  26,  2001). 
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enterprisewide  infrastructure.  For  example,  EPA’s  Central  Data  Exchange 
project  is  a  major  infrastructure  undertaking  that  will  be  critical  to 
enabling  the  electronic  exchange  of  information  between  EPA  and  state 
environmental  agencies.  Likewise,  Treasury  is  developing  the  Treasury 
Communications  Enterprise  to  provide  a  common  departmentwide 
communications  infrastructure  to  support  electronic  government 
initiatives  throughout  the  department. 

Third,  agencies  will  need  adequate  capabilities  for  storing,  retrieving,  and 
disposing  of  electronic  records.  EPA  officials  expressed  concern  about  the 
status  of  governmentwide  electronic  recordkeeping  standards,  which  have 
not  yet  been  finalized.  Many  electronic  systems  are  already  being 
developed  and  implemented  that  may  be  incompatible  with  future 
standards. 

As  we  reported  last  September,12  federal  agencies  face  additional 
information  management  challenges  that  are  also  fundamental  to  the 
success  of  GPEA.  Specifically,  agencies  will  need  to 

•  use  disciplined  investment  management  practices  to  ensure  that  the 
full  costs  of  providing  electronic  filing,  recordkeeping,  and 
transactions  prompted  by  GPEA  are  identified  and  examined  within 
the  context  of  expected  benefits;  and 

•  ensure  that  IT  human  capital  needs  are  addressed  so  that  staff  can 
effectively  operate  and  maintain  new  e-government  systems, 
adequately  oversee  related  contractor  support,  and  deliver  responsive 
service  to  the  public. 


OMB  Will  Be 
Challenged  in 
Overseeing  Agency 
Strategic  GPEA- 
Related  Activities 


OMB  will  also  be  challenged  in  its  oversight  role  of  ensuring  that  agencies 
comply  with  GPEA.  As  I  mentioned,  OMB’s  initial  guidance  issued  in  May 
2000  prescribed  policies  and  procedures  for  agencies  to  follow  in 
implementing  the  act.  For  example,  the  guidance  states  that  agencies 
should  prioritize  GPEA  implementation  based  on  achievability  and  net 
benefit.  A  number  of  the  prescribed  procedures  were  focused  on 
agencywide  strategic  actions,  such  as 

•  examining  business  processes  that  might  be  revamped  to  employ 
electronic  documents,  forms,  or  transactions; 


12  Electronic  Government:  Government  Paperwork  Elimination  Act  Presents  Challenges  for  Agencies 
(GAO/AIMD-OO-282 ,  September  15,  2000). 
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•  identifying  customer  needs  and  demands  as  well  as  the  existing  risks 
associated  with  fraud,  error,  or  misuse;  and 

•  evaluating  electronic  signature  alternatives,  including  risks,  costs,  and 
practicality. 

However,  the  GPEA  implementation  plans  submitted  by  federal  agencies 
do  not  provide  sufficient  information  with  which  to  assess  whether 
agencies  have  been  engaging  in  these  processes.  While  OMB’s  subsequent 
July  reporting  guidance  called  for  a  brief  cover  letter  describing  an 
agency’s  overall  strategy  and  actions  to  comply  with  the  act,  it  did  not 
stipulate  a  full  report  on  the  variety  of  strategic  activities  and  other  tasks 
that  agencies  were  expected  to  perform,  and  their  schedules  for  carrying 
them  out.  Further,  the  format  prescribed  for  the  information-collection 
data  tables  does  not  provide  for  any  indication  of  whether  electronic 
implementation  has  been  prioritized  based  on  achievability  and  net 
benefit. 

OMB  may  wish  to  consider  whether  a  more  comprehensive  agency  status 
report  is  necessary  in  order  to  gain  better  insight  into  agencywide  GPEA 
planning.  Specifically,  agencies  could  be  asked  to  report  on  the  status  of 
the  specific  tasks  outlined  in  OMB’s  May  2000  guidance,  and  provide 
milestones  for  completing  tasks  that  are  still  underway.  This  would  allow 
OMB  to  better  assess  whether  individual  agencies  are  likely  to  achieve  the 
objectives  of  the  act. 

Mr.  Chairman,  this  concludes  my  statement.  I  would  be  pleased  to  respond 
to  any  questions  that  you  or  other  members  of  the  Committee  may  have  at 
this  time. 
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Ordering  Information  Orders  by  Internet 

For  information  on  how  to  access  GAO  reports  on  the  Internet,  send 
an  e-mail  message  with  “info”  in  the  body  to: 

Info@www.gao.gov 

or  visit  GAO’s  World  Wide  Web  home  page  at: 
http://www.gao.gov 


To  Report  Fraud, 
Waste,  and  Abuse  in 
Federal  Programs 


Contact  one: 

Web  site:  http://www.gao.gov/fraudnet/fraudnet.htm 

E-mail:  fraudnet@gao.gov 

1-800-424-5454  (automated  answering  system) 


